b"U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n                  U.S. PATENT AND\n               TRADEMARK OFFICE\n\n\nInformation Security in Contracts Needs\n Better Enforcement and Oversight\n               Final Inspection Report No. OSE-17455\n                                      September 2005\n\n\n\n\n                         PUBLIC RELEASE\n\n\n\n                             Office of Systems Evaluation\n\x0cU.S. Department of Commerce                                                                     Final Inspection Report OSE-17455\n\nOffice of Inspector General                                                                                        September 2005\n\n\n\n\n\n                                                             CONTENTS\n\n\nEXECUTIVE SUMMARY ................................................................................................. i \n\n\nINTRODUCTION .............................................................................................................. 1 \n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY............................................................ 4 \n\n\nFINDINGS AND RECOMMENDATIONS....................................................................... 5 \n\n\nI. \t Most USPTO Contracts Include IT Security Clauses, but Important Requirements Are Not \n\n     Implemented Properly or Are Not Enforced ............................................................... 5 \n\n\n      A. USPTO Has Incorporated the IT Security Clauses into Most Contracts............... 5 \n\n\n      B. Contract Risk Levels Are Not Designated Correctly, and Background \n\n         Screenings May Be Too Low for Many Contractor Employees ........................... 6 \n\n\n      C. Failure to Certify and Accredit Contractor Systems Places USPTO at Risk ........ 8 \n\n\nAppendix........................................................................................................................... 13 \n\n\nAttachment: USPTO's Response \n\n\x0cU.S. Department of Commerce                                                 Final Inspection Report OSE-17455\n\nOffice of Inspector General                                                                    September 2005\n\n\n\n\n                                        EXECUTIVE SUMMARY \n\n\nThe Federal Information Security Management Act (FISMA) requires agencies to develop and\nimplement programs to protect information and information technology (IT) systems. FISMA\nrequirements apply to all federal contractors who use federal information, or operate or have\naccess to federal information systems on behalf of an agency. The Office of Management and\nBudget (OMB) has cited contractor security as a government-wide challenge since 2001and has\ndirected agencies and the OIG to report on agency oversight of contractor IT security.\n\nIn response to findings and recommendations made by OIG in May 2002,1 the Department\nissued two contract clauses containing IT security requirements. USPTO, as part of its\ninformation security program, adopted these clauses to protect information and IT systems from\nrisks posed by contractors who connect to its network or process or store sensitive agency\ninformation. The clauses require contractors to comply with USPTO\xe2\x80\x99s IT security handbook,\nhave their IT systems certified and accredited,2 and have their employees undergo appropriate\nbackground screening.\n\nWe conducted our evaluation to determine whether USPTO had incorporated the two security\nclauses into IT service contracts and to evaluate the implementation of the clause requirements.\nWe found that most contracts in our sample contained the clauses and that contractor employees\nreceive IT security awareness training. However, USPTO is not properly implementing key\nrequirements in the clauses and in some cases is not enforcing them. Specifically, USPTO\ndesignated all contracts in our sample as low risk, even though the relevant criteria suggest that\nsome contracts should have high or moderate risk designations. In these cases, contractors did\nnot receive the appropriate background screening. In addition, contractors have not submitted\ncertification and accreditation packages, and therefore no contractor IT system has been certified\nor accredited.\n\nWe recommend that the Under Secretary of Commerce for Intellectual Property and Director of\nthe U.S. Patent and Trademark Office direct appropriate management officials to ensure that\ncontractor IT security is improved by, among other things, developing plans for establishing\nappropriate risk designations for contracts and certifying and accrediting contractor systems.\n(See page 12.)\n\n                                                        \xe2\x80\xa6\n\nIn its September 29, 2005, response to our draft report, USPTO generally concurred with our\nfindings and outlined the corrective actions planned or underway for each recommendation. We\nsynopsize USPTO\xe2\x80\x99s response following each recommendation (see pp. 11-12), and in one\n\n1\n  U. S. Department of Commerce Office of Inspector General, May 2002. Information Security Requirements Need\nto be Included in the Department\xe2\x80\x99s Information Technology Service Contracts. Report No. OSE-14788.\n2\n  Certification is the comprehensive assessment of the management, operational, and technical controls of an\ninformation system to determine if the controls are implemented correctly, operating as intended, and producing the\ndesired outcome. Accreditation is management\xe2\x80\x99s formal authorization to allow a system to operate, and acceptance\nof remaining system vulnerabilities.\n\n\n                                                         i\n\x0cU.S. Department of Commerce                                 Final Inspection Report OSE-17455\nOffice of Inspector General                                                    September 2005\n\ninstance, we provide a comment on the response. USPTO\xe2\x80\x99s complete response is included as an\nattachment to this report. The actions identified by USPTO are responsive to our\nrecommendations and when implemented should improve IT security for contractor employees\nand contractor systems.\n\n\n\n\n                                             ii\n\x0cU.S. Department of Commerce                                              Final Inspection Report OSE-17455\n\nOffice of Inspector General                                                                 September 2005\n\n\n                                            INTRODUCTION \n\n\nThe Federal Information Security Management Act (FISMA)3 requires agencies to develop and\nimplement programs to protect information and information technology (IT) systems. As\nagencies increasingly rely on contractors to support their missions, it has become apparent that\nrisks to government information and IT systems could be introduced through contractor\nemployees and their IT systems. For example, contractor operations may lead to\n\n    \xe2\x80\xa2   Unauthorized modifications to information;\n    \xe2\x80\xa2   Introduction of malicious software;\n    \xe2\x80\xa2   Unauthorized disclosure of, or access to, sensitive information; and\n    \xe2\x80\xa2   Disruption to government operations by IT system failures or denial of access.4\n\nFISMA requires agencies to review their information security program annually and Offices of\nInspector General (OIGs) to independently evaluate agency IT security programs. How these\nprograms are being applied to contractors is a focus of this year\xe2\x80\x99s FISMA reporting instructions\nissued by the Office of Management and Budget (OMB): Chief Information Officers (CIOs) and\nOIGs are directed to report on agency oversight of contractor IT security. OMB\xe2\x80\x99s instructions\nemphasize that contractors\xe2\x80\x99 IT security procedures must be \xe2\x80\x9cidentical, not equivalent\xe2\x80\x9d to those of\nfederal agencies. In support of our 2005 FISMA reporting requirements, we evaluated USPTO\xe2\x80\x99s\nefforts to implement IT security requirements for contractor employees and systems.\n\nUSPTO plays an integral role in the nation\xe2\x80\x99s intellectual property system. As part of its mission,\nthe agency is responsible for awarding and protecting patents and trademarks. To perform these\nfunctions better, USPTO\xe2\x80\x99s 21st Century Strategic Plan calls for total electronic processing for\npatents and trademarks. Because the information contained in both is critical to protecting the\nrights of patent/trademark holders and can impact significant business investment decisions,\nUSPTO systems need to safeguard the confidentiality, integrity, and availability of the\ninformation. USPTO relies heavily on contractor employees and IT systems to accomplish this\ntransformation and support operations.\n\nUSPTO IT Security Policy\n\nUSPTO\xe2\x80\x99s IT security policy, Agency Administrative Order No. 212-4, aims to establish a secure\nIT environment to protect agency information and IT systems. The policy applies to both\nUSPTO employees and contractors, and authorized creation of the IT security handbook. The\nhandbook identifies specific security practices and refers to specific procedures contained in the\nagency\xe2\x80\x99s technical standards and guidelines.\n\n\n\n\n3\n Title III, E-Government Act of 2002 (P.L. 107-347). \n\n4\n U.S. Government Accountability Office, April 2005. Information Security: Improving Oversight of Access to\n\nFederal Systems and Data by Contractors Can Reduce Risk.\n\n\n\n                                                       1\n\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-17455\n\nOffice of Inspector General                                                                      September 2005\n\n\nIT Security Clauses\n\nIn response to a May 2002 OIG report,5 which found that Commerce contracts frequently lacked\nadequate security provisions, the Department issued two contract clauses containing IT security\nrequirements:\n\n    \xe2\x80\xa2\t Security Requirements for Information Technology Resources (Commerce \n\n       Acquisition Regulations (CAR) 1352.239-73) (clause 73). \n\n\n    \xe2\x80\xa2\t Security Processing Requirements for Contractors/Subcontractor Personnel for \n\n       Accessing DOC Information Technology (CAR 1352.239-74) (clause 74).\n\n\nUSPTO modified these clauses to reference its own policy and guidance without changing their\nsubstantive requirements. Clause 73 requires that contractors comply with USPTO\xe2\x80\x99s IT security\nhandbook; submit a certification and accreditation (C&A)6 package 14 days after contract award\nfor systems that connect with USPTO networks, or process or store sensitive information; and\nthat USPTO approve or reject the C&A package. Clause 74 requires security awareness training\nfor contractor personnel and designation of the contract risk level (i.e., high, moderate, or low) to\ndefine the type of background screening needed. In late 2003, the USPTO Office of\nProcurement directed contracting officers to incorporate clauses 73 and 74 into all new service\ncontracts, as well as to insert clause 74 into all existing service contracts and clause 73 into all\napplicable existing contracts.7\n\nRoles and Responsibilities\n\nThe task of imposing security requirements on contractors relies on the expertise of USPTO\npersonnel spread across several operating units, as follows:\n\n    Office of Procurement/Contracting Officers\n       \xe2\x80\xa2\t Authorized to enter into and modify contracts.\n       \xe2\x80\xa2\t Responsible for contractor compliance with contract terms and for safeguarding\n           USPTO interests in procurements.\n       \xe2\x80\xa2\t Appoint contracting officer\xe2\x80\x99s representative (COR).\n\n\n5\n  U. S. Department of Commerce Office of Inspector General, May 2002. Information Security Requirements Need\nto be Included in the Department\xe2\x80\x99s Information Technology Service Contracts. Report No. OSE-14788. A\nsubsequent OIG evaluation found that the Department had made progress in incorporating the new IT security\nclauses into contracts, but provisions for controlling contractor access to Department systems and networks were\ngenerally absent, and there was little evidence of contract oversight or of coordination among contracting, technical,\nand information security personnel. (U.S. Department of Commerce Office of Inspector General, September 2004.\nOffice of The Secretary: Information Security in Information Technology Security Contracts Is Improving, but\nAdditional Efforts Are Needed. Report No. OSE-16513).\n6\n  Certification is the comprehensive assessment of the management, operational, and technical controls of an\ninformation system to determine if the controls are implemented correctly, operating as intended, and producing the\ndesired outcome. Accreditation is management\xe2\x80\x99s formal authorization to allow a system to operate, and acceptance\nof remaining system vulnerabilities.\n7\n  USPTO Office of Procurement told us that it modified about 35 contracts in early 2004 to include both clauses.\n\n\n                                                          2\n\n\x0cU.S. Department of Commerce                                    Final Inspection Report OSE-17455\nOffice of Inspector General                                                       September 2005\n\n   Office of Chief Information Officer - Office of Acquisition Management (OCIO-OAM)\n      \xe2\x80\xa2\t Directs the acquisition of IT products and services to support, develop, and maintain\n          USPTO automated information systems.\n      \xe2\x80\xa2\t Serves as COR for USPTO-wide IT contracts, providing day-to-day contract\n          administration.\n\n   OCIO - IT Security Program Office (ITSPO)\n     \xe2\x80\xa2\t Develops and implements IT security to safeguard USPTO information and IT\n         systems.\n     \xe2\x80\xa2\t Provides IT security guidance and technical assistance.\n     \xe2\x80\xa2\t Works with contractors to establish access to USPTO network and IT systems.\n\n   Office of Security\n      \xe2\x80\xa2\t Provides leadership on USPTO security programs.\n      \xe2\x80\xa2\t Processes personnel security/suitability and security clearances.\n      \xe2\x80\xa2\t Completes contractor suitability investigations.\n\n   Operating Unit Personnel\n      \xe2\x80\xa2\t Determine potential adverse impact on an organization if there is a breach of security.\n      \xe2\x80\xa2\t Define contract requirements, which in turn determine contract risk designation and\n          whether certification and accreditation of contractor IT system is required.\n      \xe2\x80\xa2\t Senior manager serves as authorizing official for the accreditation of contractor IT\n          systems.\n\n\n\n\n                                               3\n\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-17455\n\nOffice of Inspector General                                                                      September 2005\n\n\n                         OBJECTIVES, SCOPE, AND METHODOLOGY \n\n\nThe objective of this review was to determine whether clauses 73 and 74 have been incorporated\ninto IT service contracts and how USPTO has implemented their requirements, particularly in\ncontracts that may require contractor systems to connect with the USPTO network or that allow\ncontractor systems to access or store sensitive information.\n\nTo satisfy our objective, we selected          Table 1. Contract Sample\na judgmental sample of 10 current\n                                                                                                      Estimated\ncontracts from listings provided by                    Contract Description\n                                                                                      Number of\n                                                                                                         Value\n                                                                                      Contractors\nUSPTO and the Department. The                                                                       (in $ millions)\nestimated value of the sample is $1.7          IT product assurance                        1               3\nbillion. (See table 1.) We reviewed\n                                               Systems Engineering and\ncontract files to determine whether            Technical Assistance (SETA)\n                                                                                           2              72\nthe contracts contained the clauses            Systems Development and\nand interviewed managers and staff                                                         2             530\n                                               Integration (SDI)\nfrom the Office of Procurement,                Patent Data Capture                         1             876\nOCIO-OAM, OCIO-ITSPO, Patent                   System engineering for proprietary\n                                                                                           1                5\nOffice, and Office of Security.                software\n                                               Agency-wide administrative\n                                                                                           1             192\n                                               support services\nAs our evaluation criteria, we used\n                                               Policy development for electronic\nclauses 73 and 74, FISMA,                                                               1                   5\n                                               filing and records management\nCommerce\xe2\x80\x99s IT Security Program                                                          1            Less than\nPolicy and Minimum                      Network vulnerability testing\n                                                                                                       100K\nImplementation Standards, USPTO\xe2\x80\x99s              Total Estimated Value                                $1.7 billion\nIT security policy, and NIST\nguidance. We conducted our              Source: Estimated values obtained from list of IT service contracts\n                                        provided by USPTO Office of Procurement, April 7, 2005.\nevaluation in accordance with the\nInspector General Act of 1978, as\namended, and the Quality Standards for Inspections issued by the President\xe2\x80\x99s Council on\nIntegrity and Efficiency. We performed our fieldwork between April 2005 and July 2005.\n\n\n\n\n                                                        4\n\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-17455\n\nOffice of Inspector General                                                                      September 2005\n\n\n                               FINDINGS AND RECOMMENDATIONS \n\n\nI.\t Most USPTO Contracts Include IT Security Clauses, but Important Requirements Are\n    Not Implemented Properly or Are Not Enforced\n\nWe found that most of the contracts we reviewed contain the IT security clauses and that\ncontractor employees receive IT security awareness training. However, USPTO is not properly\nimplementing key requirements in the clauses and in some cases is not enforcing them. For\nexample, the agency designated all contracts in our sample as low risk\xe2\x80\x94meaning contract\nemployees undergo a minimal background investigation, but the relevant Commerce Acquisition\nManual (CAM) criteria suggest that some contracts should have high or moderate risk level\ndesignations; thus, many contractor employees should receive more rigorous background\nscreenings commensurate with the potential impact an individual in that position could have on\nUSPTO operations. Moreover, contractors have not submitted C&A packages, and therefore\nnone of their systems has undergone certification testing or received accreditation.\n\nA. USPTO Has Incorporated the IT Security Clauses into Most Contracts\n\nEight of the 10 contracts in our sample contained both IT security clauses. Among the 8 were\nrecently awarded contracts as well as several that were in effect in 2004 but had been modified to\ninclude the clauses. USPTO did not document its decisions to keep the clauses out of the\nremaining 2 contracts, so we asked agency personnel to explain the rationale for the exclusions.\nThey stated that in one case, the contractor was not connected to the USPTO network and did not\nhave access to sensitive agency information. Therefore, the requirements of the clauses were not\napplicable. There are currently no open task orders under this contract, but if new task orders are\nissued, USPTO needs to evaluate whether the contractor will have access to sensitive\ninformation or connectivity to its network and should add the clauses as warranted.\n\nThe other contract was a task order under a General Services Administration (GSA) contract for\nIT security vulnerability testing.8 The project manager stated that the clauses were not included\nbecause the nature of the contract work would cause the contractor to violate the IT security\nrequirements established by clause 73.\n\nWe do not agree with the decision to exclude the clauses from this task order because the work it\nauthorized gave the contractor access to USPTO systems and generated sensitive data. Yet, the\ncontractor\xe2\x80\x99s personnel were not subject to background screening, and the contractor\xe2\x80\x99s systems\nwere not certified and accredited. USPTO subsequently released another solicitation for\nvulnerability testing that did not contain the IT security clauses under a GSA contract, but agreed\nafter our discussions with the contracting officer, to incorporate clauses 73 and 74 into the\nsolicitation. We remain concerned, however, that there may be other task orders under\ngovernment-wide contracts that should, but do not, contain the IT security clauses and that\nUSPTO\xe2\x80\x99s contract review and oversight processes are not ensuring that they are added.\n\n\n\n8\n The task order states that the contractor would mimic an external attacker trying to penetrate the target systems,\nwhich contain sensitive but unclassified USPTO data.\n\n\n                                                          5\n\n\x0cU.S. Department of Commerce                                                 Final Inspection Report OSE-17455\nOffice of Inspector General                                                                    September 2005\n\nB. Contract Risk Levels Are Not Designated Correctly, and Background Screenings May\n   Be Too Low for Many Contractor Employees\n\nOne way the government has traditionally sought to protect its assets is to subject employees to\nbackground screening. The level of scrutiny a federal employee receives is dictated by the\nsensitivity of the position he holds\xe2\x80\x94that is, the damage an individual, by virtue of his position,\ncould cause to the efficiency or integrity of agency operations or national security. As the\ngovernment\xe2\x80\x99s reliance on contractors has increased, contractor employees working at\ngovernment facilities have been subjected to screening as well. Clause 74 expands this\nrequirement by mandating screening, regardless of location, for contractor employees who have\naccess to government IT systems or who use IT systems that are interconnected with agency\nnetworks.\n\nContractor screening is based on the level of risk to the government posed by the contract. The\nassociated risk designation (high, moderate, or low) defines the extent of screening. Clause 74\nprovides that contract risk level determinations be made in accordance with section 1337.70 of\nthe Commerce Acquisition Manual (CAM).9 The appendix to this report presents the current\nCAM criteria for designating contract risk levels. It should be noted, however, that these criteria\nare undergoing change in response to a new security control framework developed by NIST.10\nWith the new framework, risk is to be determined not only by the function an individual\nperforms, but also by the potential impact on an organization should certain events occur that\njeopardize information and information systems. The Department\xe2\x80\x99s CIO has adopted the new\nframework in the recently-revised Commerce IT security policy and has initiated an effort to\nhave the relevant Departmental suitability, security, and acquisition policies and guidance\nupdated accordingly.\n\nUSPTO designated all the contracts in our sample as low risk. As a result, the employees\nworking under these contracts were subject to a National Agency Check and Inquiries (NACI)\ninvestigation, one of the least comprehensive screening levels. As shown in table 2, the relevant\nCAM criteria suggest that some contracts in our sample should have high or moderate risk level\ndesignations. For example, the patent data capture contract gives contractors access to patent\napplications before they are published. Because the potential to unfairly exploit the information\ncontained in patent applications is so great, federal law, 35 USC 122, prohibits its disclosure.\n\nWe were unable to determine USPTO\xe2\x80\x99s criteria for designating contract risk levels because the\ncontract files contained no documentation regarding the determinations. To understand these\ndecisions, we discussed the designations with agency personnel, who offered two explanations:\n\n     \xe2\x80\xa2\t USPTO information is not classified or designated national critical, so higher risk\n        designations are unnecessary.\n\n\n9\n  CAM 1337.70 directs a program office representative, typically the COR, to make contract risk level designations\nin conjunction with operating unit management, office of security, and the procurement office. In section (a)5 of\nclause 74 states that the contracting officer makes contract risk level designations.\n10\n   NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, February\n2005.\n\n\n                                                        6\n\n\x0cU.S. Department of Commerce                                               Final Inspection Report OSE-17455\nOffice of Inspector General                                                                  September 2005\n\n     \xe2\x80\xa2\t Agency personnel who manage the contracts or perform similar work are in positions\n        designated low risk; therefore, contractor employees should have the same risk\n        designations as their agency counterparts.\n\nWhile these explanations Table 2. USPTO Risk-Level Designation Compared to CAM Criteria\nmay have contributed to\nimproper risk level                    Contract Work\n                                                               USPTO\n                                                                      CAM Risk\n                                                                Risk                Relevant CAM Criteria\ndeterminations, an                       Description\n                                                                Level\n                                                                        Level\nagency-wide preference\n                                                                               Designing and operating a\nfor operating in a low-                                                        computer system that includes\nrisk environment              System Design and Integration                    ADP hardware, software,\nappears to underlie the       (SDI) contracts\xe2\x80\x93System design                    and/or data communications,\n                              and development, allowing                        regardless of the sensitivity of\nproblem. The low-risk         access to operational systems\n                                                                Low     High\n                                                                               the data.\ndesignations of the           and underlying IT\ncontracts in the sample       infrastructure. (2 contracts)                    Access to a computer system\n                                                                               that could result in grave\nare not anomalies.                                                             damage or in personal gain.\nUSPTO senior managers Patent Data Capture contract\xe2\x80\x93                            Access to a computer system\ntold us that nearly all       Managing patent applications,             High   during the operation or\nagency contracts are          allowing access to pre-                          maintenance process that could\n                              publication patent applications,                 result in grave damage or in\ndesignated low risk.          confidentiality required by 35\n                                                                Low\n                                                                               personal gain.\nFurther, an                   USC 122. (1 contract)\noverwhelming                                                          Moderate Work involving access to\n                                                                               sensitive information.\npercentage of USPTO\n                              System Engineering and\npositions are similarly       Technical Assistance contract\ndesignated low risk.          (SETA)\xe2\x80\x93Developing and\n                                                                               Planning and implementing a\nUSPTO\xe2\x80\x99s IT security           implementing USPTO IT\n                                                                Low     High   computer security program\n                              security program, allowing\nhandbook strongly             access to security plans, and\nfavors low-risk               proprietary/confidential\ndesignations, stating that information. (1 contract)\nagency contracts should\nrequire NACI screening. The handbook neither provides high or moderate risk designations as\nalternatives, nor does it describe when high or moderate risk designations are appropriate.\n\nAt our exit conference, USPTO officials expressed serious concerns about the possibility of\nhaving more comprehensive background screenings than the NACI investigation, as described\nabove, citing the financial burden as well as delays in performing work while screenings are\nbeing performed, which they believe could impact operations. We note, however, that after pre\nemployment checks, clause 74 and CAM 1337.70 both allow contractors and employees to start\nwork prior to completion of the appropriate investigation so long as the process is initiated 3\ndays after work commences. This is not to diminish the importance of investigative screening,\nbut rather gives agencies some flexibility to secure agency assets and information while\nmaintaining operations.11 Another flexibility is that even if a contract is designed as high or\nmedium risk, some employees may be screened at a lower level as appropriate for their work as\n\n11\n   Clause 74 states, \xe2\x80\x9cAt the option of the government, interim access to DOC IT systems may be granted pending\nfavorable completion of a pre-employment check. Final access may be granted only on completion of an appropriate\ninvestigation based upon the risk level assigned to the contract by the Contracting Officer.\xe2\x80\x9d\n\n\n                                                       7\n\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-17455\nOffice of Inspector General                                                                      September 2005\n\nlong as adequate controls are established to ensure they do not perform higher risk work, or gain\naccess to information or systems for which they are not screened. USPTO needs to develop a\nplan and schedule for reviewing contract risk designations and modifying them as appropriate.\n\nCompleting appropriate background screening is the initial step in overseeing contract IT\nsecurity. Background screening is designed to identify individuals who pose a risk to\ngovernment assets and operations based on past conduct and associations. However, screening\nalone does not effectively safeguard government information and IT systems because individuals\nwho have successfully passed the screening process can introduce risks, either intentionally or\nnot. Vulnerabilities in contractor systems that contain sensitive agency information or connect to\nan agency network can disrupt agency operations or allow unauthorized access to information.\nCertifying and accrediting contractor systems guards against such threats by ensuring technical,\noperational, and management controls work as intended.\n\nC. Failure to Certify and Accredit Contractor Systems Places USPTO at Risk\n\nCertification and accreditation is an integral part of an agency\xe2\x80\x99s information security program.\nCertification is the formal testing of an IT system\xe2\x80\x99s security controls to determine whether they\nare operating as intended and producing the desired outcome. With this information, agencies\ncan decide, based on risk, how best to minimize the potential for disruption to operations.\nAccreditation is management\xe2\x80\x99s formal authorization to allow a system to operate, and acceptance\nof remaining system vulnerabilities.\n\nContractor Systems Are Not Certified or Accredited\n\nDepartmental and USPTO IT security programs provide for IT system certification and\naccreditation. Clause 73 requires contractor IT systems to undergo the C&A process when they\neither are connected to a USPTO network, or process or store sensitive agency data. The C&A\npackage must be submitted within 14 days after contract award.12 Packages must include a risk\nassessment, system security plan, contingency plan, system test plan and test results, and the\ncertifier\xe2\x80\x99s recommendation.\n\nNone of the USPTO contractor systems including those in our sample has been certified and\naccredited, nor had any of the contractors submitted a C&A package,13 even though the 14-day\ndeadline for submission has long passed. The failure to certify and accredit contractor systems is\nparticularly troubling because most systems in our sample are operational and connected to the\nUSPTO network or contain sensitive agency data without the assurance that they are adequately\nsecure.\n\n12\n   After we completed our fieldwork for this report, we met with officials from the Department\xe2\x80\x99s OCIO and OAM to\nraise concerns about the feasibility of the 14-day deadline. They told us that the Department is considering ways to\nimprove implementation of the C&A requirement and are aware that 14 days to complete a certification and\naccreditation package is unreasonable. The Department\xe2\x80\x99s IT Security Program Manager is interpreting the 14 days\nto be for the contractor to submit to the agency its detailed plans for completing the certification and accreditation\nprocess.\n13\n   One contractor submitted elements of a draft C&A package in September 2004, but no further action was taken\non it after the ITSPO proposed revisions.\n\n\n                                                          8\n\n\x0cU.S. Department of Commerce                                              Final Inspection Report OSE-17455\n\nOffice of Inspector General                                                                 September 2005\n\n\n\nWe are not the first to raise concerns about the risks of USPTO contractor systems and\ncompliance with IT security requirements. Last September, the agency issued a report of its\nown, summarizing vulnerabilities of contractor systems in all security control areas. The report\xe2\x80\x99s\nprimary recommendation was for USPTO to better enforce existing IT security contract\nrequirements.14\n\nFactors Contributing to Noncompliance with the C&A Requirement\n\nSeveral factors explain why contractors have ignored the C&A requirement:\n\n      \xe2\x80\xa2\t USPTO did not clearly communicate the magnitude and importance of the C&A \n\n         requirement in contract solicitations and modifications. \n\n\n      \xe2\x80\xa2\t Once clause 73 was in the contracts, the agency did not administer the C&A requirement\n         in a manner that promoted compliance.\n\n      \xe2\x80\xa2\t None of the involved USPTO operating units provided the leadership necessary to\n         coordinate the roles of contracting officers, CORs, and ITSPO. This coordination is\n         required since various individuals have complementary roles in overseeing contractors\xe2\x80\x99\n         adherence to security policies.\n\nEach point is discussed in more detail below.\n\nFailure to communicate the magnitude and importance of the C&A requirement. Clause 73\nestablishes a 14-day deadline for submission of the C&A package because of the potential for\ndisruption to government operations once work under the contract begins. Contractors must\nrecognize and understand C&A requirements when solicitations are issued or contracts are\nmodified. Below, we identify several ways contractors\xe2\x80\x99 awareness of the C&A requirement\ncould have been improved:\n\n      \xe2\x80\xa2\t Contract Deliverable. The C&A package was not identified as a deliverable in\n         solicitations or contract modifications. Had it been, contractors might have recognized\n         that submission of the C&A package was part of the required contract performance.\n\n      \xe2\x80\xa2\t Application of the Requirement. When USPTO modified contracts to include the C&A\n         requirement, it did not formally advise contractors whether the requirement applied.\n         About 35 contracts were modified in March 2004 to include clause 73, but the C&A\n         requirement did not apply to all 35. Some contractors may have been unsure about\n         whether the requirement applied to them.\n\n      \xe2\x80\xa2\t Elements of a C&A Package. Clause 73 references additional guidance on the elements of\n         a C&A package, but such reference, by itself, is insufficient to clearly communicate the\n         complexity of the C&A effort, which is a new undertaking for many contractors.\n\n14\n     USPTO, September 17, 2004. USPTO Contractor Facilities Security Assessment Executive Overview.\n\n\n                                                       9\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-17455\n\nOffice of Inspector General                                                          September 2005\n\n\n           Specific direction on what a C&A package must contain should have accompanied\n           solicitations and contract modifications. USPTO needs to provide C&A guidance that\n           meets OMB\xe2\x80\x99s directive that contractors and federal agencies have \xe2\x80\x9cidentical, not\n           equivalent\xe2\x80\x9d IT security procedures.\n\n      \xe2\x80\xa2\t C&A Costs. USPTO did not develop cost estimates for certifying and accrediting\n         contractor systems. Without estimates, a fixed price for contractors\xe2\x80\x99 C&A efforts could\n         not be established. Contractors whose contracts were modified by the addition of clause\n         73 would have been more attentive to the C&A requirements if a fixed price was\n         associated with the effort. Various USPTO personnel told us that cost has not been an\n         issue for contractors; perhaps this is because contractors have done little to comply with\n         the C&A requirement. Some USPTO personnel acknowledged knowing first-hand of the\n         significant cost and time necessary to complete C&A. Without estimates or established\n         contract prices, there is greater uncertainty as to USPTO\xe2\x80\x99s financial liability for\n         implementation of the C&A requirement. In the event that contractors seek additional\n         funding to comply with the C&A requirement, USPTO could pay more than it otherwise\n         would have because there is no contract pricing or cost estimates for assessing the\n         reasonableness of contractors C&A costs.\n\nFailure to administer the C&A requirement in a manner that promoted contractor compliance.\nEven though the C&A requirement was added to contracts, contractors were not given reason to\nthink certification and accreditation was a USPTO priority. For all the contracts in the sample,\nthe 14-day deadline passed without submission of C&A packages.15 From our review of contract\nfiles and requests for USPTO documents, we found no documentation indicating that, prior to\nexpiration of the deadline, USPTO:\n\n       \xe2\x80\xa2\t Warned contractors the deadline was approaching;\n       \xe2\x80\xa2\t Informed them that clause 73 allows for contract termination when they do not satisfy\n          the C&A requirement; or\n       \xe2\x80\xa2\t Extended the deadline, or informed contractors that a new deadline would be established.\n\nAfter the deadlines expired, no money was withheld for not submitting C&A packages, nor was\naccess to sensitive information or the USPTO network curtailed. By not using any of the tools\navailable to address noncompliance with the contracts, contractors came to the conclusion that\nthe C&A process was not a priority for USPTO.\n\nFailure to coordinate the roles of contracting officers, CORs, and ITSPO. Finally, the absence\nof strong leadership from USPTO personnel responsible for implementing contractor IT security\ncontributed to the noncompliance with C&A requirement. At the time of our fieldwork, ITSPO\npersonnel were working to secure contractor connectivity to the agency\xe2\x80\x99s network and provide\ndetailed direction on C&A packages. The difficulty of this effort, which was directed toward a\nsingle contractor, highlights the need for coordination among the USPTO operating units\noverseeing contractor IT security. ITSPO provided us with a copy of a draft appendix to the IT\nsecurity handbook, which attempts to delineate responsibilities for IT security in contracts. As\n\n15\n     See footnote 10.\n\n\n                                                 10 \n\n\x0cU.S. Department of Commerce                                              Final Inspection Report OSE-17455\nOffice of Inspector General                                                                 September 2005\n\nnoted in our September 2004 report on contractor IT security,16 contracting officers, CORs,\nsystem owners, and ITSPO have significant and complementary roles in overseeing contractors\xe2\x80\x99\nadherence to appropriate security policies. These individuals need to work together to protect\nUSPTO operations from potential risks arising from contractors\xe2\x80\x99 network connectivity or access\nto sensitive information. While USPTO ultimately must decide the best way to coordinate\noversight of contractor IT security, the CORs\xe2\x80\x99 familiarity with the operational needs of the\nagency, the contractor, and various security issues appear to make the COR position a strong\ncandidate for taking the lead in coordinating the involvement of the various individuals involved\nin contractor IT security oversight.\n\n\nRecommendations\n\nThe Under Secretary of Commerce for Intellectual Property and Director of the U.S. Patent and\nTrademark Office should direct appropriate management officials to ensure that:\n\n1.\t A plan and schedule are developed for certifying and accrediting contractor systems that\n    connect to the USPTO network, or process or access sensitive agency information.\n\n        a.\t As part of the planning, develop cost estimates for addressing USPTO budget needs\n            and contractor funding requests.\n        b.\t Improve communication with contractors so they are fully aware of specific C&A\n            requirements and USPTO expectations.\n\nSynopsis of USPTO\xe2\x80\x99s Response.\nUSPTO agreed with this recommendation. USPTO stated that it would work with the\nDepartment CIO Office and OIG to establish criteria for determining risk levels. USPTO also\nindicated that it would develop a plan and schedule for identifying contractor systems requiring\nC&A and for performing C&A. USPTO intends to develop procedures to improve\ncommunications with contractors about C&A requirements and to identify the C&A\nrequirements as a priced deliverable in solicitations or contract modifications.\n\n2.\t Contractor systems are certified and accredited in accordance with FISMA and implementing\n    regulations.\n\n        a.\t Designate appropriate USPTO program officials responsible for accrediting systems.\n        b.\t Assign USPTO personnel to participate in the certification process.\n        c.\t Test security control at a level that corresponds to risks associated with the system.\n\nSynopsis of USPTO\xe2\x80\x99s Response.\nUSPTO agreed with this recommendation, stating that it will review risk designations, designate\na program official to oversee contractor C&A activities, and assign USPTO personnel to\nparticipate in all aspects of contractor C&A efforts. USPTO also pointed out that NIST Special\n\n16\n  U.S. Department of Commerce Office of Inspector General, September 2004. Office of the Secretary: Information\nSecurity in Information Technology Security Contracts Is Improving, but Additional Efforts Are Needed, OSE\n16513.\n\n\n                                                      11 \n\n\x0cU.S. Department of Commerce                                              Final Inspection Report OSE-17455\nOffice of Inspector General                                                                 September 2005\n\nPublication 800-60, Guide for Mapping Types of Information and Information Systems to\nSecurity Categories, generally sets sensitivity data for intellectual property at the \xe2\x80\x9clow\xe2\x80\x9d level.\n\nOIG Comment on USPTO Response.\nIt should be recognized that while NIST Special Publication 800-60 generally sets sensitivity\nlevels for intellectual property as \xe2\x80\x9clow,\xe2\x80\x9d this guidance specifically identifies pre-published patent\napplications as having a moderate impact level and identifies 35 U.S.C. \xc2\xa7 122 as a Federal statute\nrequiring protection of pre-publication from disclosure.17\n\n3.\t CORs, managers, and security officers understand the criteria for determining appropriate\n    contract risk level designations.\n\nSynopsis of USPTO\xe2\x80\x99s Response.\nUSPTO agreed with this recommendation. USPTO stated that it would develop guidelines, to\ninclude documentation of decision making, to implement criteria for determining contract risk\nlevel designations.\n\n4.\t A plan and schedule are developed for reviewing existing contract risk designations and\n    modifying them as appropriate.\n\nSynopsis of USPTO\xe2\x80\x99s Response.\nUSPTO agreed with this recommendation. USPTO stated that it would review existing contract\nrisk level designations and make modifications where appropriate.\n\n5.\t IT security clauses are incorporated into all new task orders under government-wide service\n    contracts.\n\nSynopsis of USPTO\xe2\x80\x99s Response.\nUSPTO agreed with this recommendation. USPTO stated that it will review task orders under\ngovernment-wide contracts for compliance with contractor IT security requirements and include\na line item for C&A deliverables where appropriate.\n\n6.\t The draft appendix in the IT security handbook\xe2\x80\x94which establishes roles and responsibilities\n    for implementing IT security in acquisitions\xe2\x80\x94is reviewed and modified as needed.\n\nSynopsis of USPTO\xe2\x80\x99s Response.\nUSPTO agreed with this recommendation. USPTO stated that OCIO has revised Appendix W\nfor review within USPTO and that final updates will be made as needed.\n\n\n\n\n17\n   NIST Special Publication 800-60, Volume II: Appendixes to Guide for Mapping Types of Information and\nInformation Systems to Security Categories, June 2004, pp. 215-216 and Appendix E.\n\n\n\n                                                     12 \n\n\x0cU.S. Department of Commerce                                     Final Inspection Report OSE-17455\n\nOffice of Inspector General                                                        September 2005\n\n\nAppendix\n                              Risk Levels for Nonclassified Contracts\n\n              Criteria from Commerce Acquisition Manual 1337.70, Attachment 1\n               \xe2\x80\x9cSecurity Processing Requirements for On-Site Service Contracts\xe2\x80\x9d\n\nHigh Risk\n   \xe2\x80\xa2\t Work which involves continuous foreign travel of 90 days or more under the auspices of\n      DOC;\n   \xe2\x80\xa2\t Work involved in functions or in operations of the Department that are critical to the\n      accomplishment of the mission of the Department;\n   \xe2\x80\xa2\t Work involved in investigative, compliance, or senior level auditing duties;\n   \xe2\x80\xa2\t Work which occurs during restricted hours within a DOC building which houses\n      classified information or equipment, and which is not supervised by an appropriately\n      cleared government employee, where appropriate physical security measures are not in\n      place to prevent unauthorized disclosure;\n   \xe2\x80\xa2\t Work which involves fiduciary, public contact, or other duties involving the highest\n      degree of public trust;\n   \xe2\x80\xa2\t ADP work involved in:\n          o\t Planning, directing, and implementing a computer security program;\n          o\t Directing, planning, designing, and operating a computer system that includes\n              ADP hardware, software, and/or data communications, regardless of the\n              sensitivity or classification of the information stored on the system; or\n          o\t Access to a computer system, during the operation or maintenance process, that\n              could result in grave damage or in personal gain; and\n          o\t Any other work designated High Risk by the contracting officer or the head of the\n              operating unit or departmental office.\n\nModerate Risk\n  \xe2\x80\xa2\t Work which involves free access and movement within a DOC building which houses\n     classified information or equipment during normal work hours with little or no\n     supervision by an appropriately cleared government employee;\n  \xe2\x80\xa2\t Work which occurs during restricted hours within a DOC building which houses\n     classified or sensitive information or equipment even though supervised by a government\n     employee;\n  \xe2\x80\xa2\t ADP work in which the incumbent will be responsible for the direction, planning, design,\n     operation, or maintenance of a computer system, and whose work is technically reviewed\n     by government personnel processed at the Critical\xe2\x80\x93Sensitive level or above to ensure the\n     integrity of the system;\n  \xe2\x80\xa2\t Work which requires access to sensitive information (information protected under the\n     Privacy Act or Title 13, etc); and\n  \xe2\x80\xa2\t Work involving foreign travel less than 90 days duration.\n\nLow Risk\nWork that does not fall into any of the above categories and would be equivalent to a low risk\ndesignation if the individual was performing the work as an employee.\n\n\n                                                13 \n\n\x0cAttachment\n\x0c\x0c\x0c\x0c\x0c\x0c"